BRATISLAVA, Slovakia, Jan. 30, 2026 (GLOBE NEWSWIRE) -- ESET researchers identified new data-wiping malware that they named DynoWiper, used against an energy company in Poland. The tactics, techniques, and procedures (TTPs) observed during the DynoWiper incident closely resembles the previous one involving the ZOV wiper in Ukraine: Z, O, and V are Russian military symbols. ESET Research attributes DynoWiper to Russia-aligned threat group Sandworm with medium confidence.

This incident represents a rare and previously undocumented case in which a Russia-aligned threat actor deployed destructive, data-wiping malware against an energy company in Poland. In 2025, ESET investigated more than 10 incidents involving destructive malware attributed to Sandworm, almost all of them occurring in Ukraine.

The installed EDR/XDR product, ESET PROTECT, blocked execution of the wiper, significantly limiting its impact in the environment. CERT Polska did an excellent job investigating the incident and published a detailed analysis in a report available on its website.

On December 29th, 2025, DynoWiper samples were deployed to what probably is a shared directory in the victim’s domain. It is possible that Sandworm operators first tested the operation on virtual machines before deploying the malware in the target organization. Three distinct samples were deployed and all attempts failed. The wiper overwrites files using a 16-byte buffer that contains random data generated at a single instance at the start of the wiper’s execution. On an unprotected machine, files of size 16 bytes or fewer are fully overwritten. To speed up the destruction process, files larger than 16 bytes have only some parts of their contents overwritten. DynoWiper wipes files on all removable and fixed drives and finally forces the system to reboot, completing the destruction of the system.

Unlike other Sandworm malware including Industroyer and Industroyer2, the newly discovered DynoWiper samples focus solely on the IT environment, with no observed functionality targeting operational technology industrial components. However, this does not exclude the possibility that such capabilities were present elsewhere in the attack chain.

ESET Research identified several similarities to previously known destructive malware, specifically to the wiper ZOV, which ESET attributes to Sandworm with high confidence. DynoWiper operates in a broadly similar fashion to the ZOV wiper. Notably, the exclusion of certain directories and especially the clear separate logic present in the code for wiping smaller and larger files can also be found in the ZOV wiper. ZOV is destructive malware that we detected being deployed against a financial institution in Ukraine in November 2025. Once executed, the ZOV wiper iterates over files on all fixed drives and wipes them by overwriting their contents. There was another ZOV wiper case at an energy company in Ukraine, where the attackers deployed the wiper on January 25th, 2024.

Sandworm is a Russia-aligned threat group that performs destructive attacks, targeting a wide range of entities including government agencies, logistics companies, transportation firms, energy providers, media organizations, grain sector companies, and telecommunications companies. These attacks typically involve the deployment of wiper malware – malicious software designed to delete files, erase data, and render systems unbootable.

Besides Ukraine, the group has a decade-long history of targeting companies in Poland, including those in the energy sector. In October 2022, it carried out a destructive attack against logistics companies in both Ukraine and Poland, disguising the operation as a Prestige ransomware incident. Because the majority of Sandworm’s cyberattacks currently target Ukraine, we collaborate closely with our Ukrainian partners, including the Computer Emergency Response Team of Ukraine (CERT-UA), to support both prevention and remediation efforts.

